Uber faces fallout from cyberattack
Massive data breach and coverup a boon to both critics and rivals of harried ride-sharing company
SAN FRANCISCO— Dara Khosrowshahi’s appointment as head of Uber Technologies last summer was supposed to mark the beginning of a new chapter. The company had been racing from one disaster to the next, leading to boycotts, lawsuits, criminal probes, an executive exodus and an investor-led mutiny against the co-founder.
Somehow, the new chief executive officer keeps finding more horrors at every turn.
The latest is a cyberattack Uber had concealed since last year that exposed personal data on 57 million customers and drivers globally. The company, which said it had paid hackers $100,000 (U.S.) to delete the data and keep quiet, disclosed the incident on Tuesday, following an investigation commissioned by the board. The chief security officer and one of his deputies were ousted for their actions following the hack.
By Wednesday, Uber had not said how many Canadians had been affected.
Uber Canada’s blog said names, email addresses and mobile phone numbers of 57 million riders were taken, but did not provide specifics about where the customers are.
It specifies only that hackers took the driver’s licence numbers of 600,000 Uber drivers in the U.S.
The company has not responded to requests made by The Canadian Press about how many Canadians were affected.
Khosrowshahi’s role so far looks less like a turnaround artist and more like chief apology officer on behalf of his predecessor, Travis Kalanick. Since he took over, London moved toward outlawing the service, citing “a lack of corporate responsibility.” Uber is appealing. (“I apologize for the mistakes we’ve made,” Khosrowshahi said in response.) He then travelled to Brasilia to meet with officials there and ward off restrictions on Uber’s business. (“In the past, we were a bit aggressive,” he told a Brazilian newspaper.)
And now the mishandled data breach. (“We will learn from our mistakes.”)
The hacking fallout has already begun. Within hours of the disclosure, a customer filed a lawsuit seeking class-action status and New York Attorney General Eric Schneiderman launched an investigation. More U.S. states and the Federal Trade Commission, which had settled with Uber over another privacy matter in August, will probably pile on, said Jeremiah Grossman, chief of security strategy at SentinelOne Inc., which aids companies with cyberdefence. “I’m sure they’ll get another call from the FTC,” he said.
The company also faces potentially higher than usual fines from British au- thorities because the firm did not promptly disclose the hack.
Canada does not have laws requiring disclosure of data breaches, but NDP public safety critic Matthew Dube said in an email to The Canadian Press that the Uber incident shows the need for them.
“This type of hack is once again a reminder that the government needs to listen to the Privacy Commissioner and implement fines for companies who treat Canadians’ information this way. The law also needs to be changed to force companies to divulge these hacks and be transparent.”
The company still has not provided any details on the number of Canadians affected despite multiple requests, going against the importance of transparency in these matters, said Satyamoorthy Kabilan, director of national security at the Conference Board of Canada.
“That hiding of things, or that lack of communication over the breach, that is certainly a major concern for me.”
He said it’s important for companies to proactively disclose data breaches so that individuals can respond, so that security experts can learn from the breach, and to retain the trust of customers.
“What we’ve seen is organizations which are up front about what happened, they tend to retain the trust of users, whereas organizations that don’t can be hit very badly.”
The ghosts of Kalanick’s past will scare up more problems for Uber.
The hack introduces an unexpected factor in negotiations between SoftBank Group Corp. and Uber shareholders over a planned investment of as much as $10 billion, a deal Khosrowshahi has been championing. It may weigh on the company’s valuation, now at about $70 billion (U.S.), ahead of an initial public offering expected in 2019.
The breach at Uber is smaller than recent incidents at Yahoo or Equifax Inc., but the decision to keep it a secret for a year was particularly concerning.
Cybersecurity experts said Uber’s payment to the two hackers in exchange for their discretion and assurances that they delete the data was very unusual.
“I was shocked,” said Kowsik Guruswamy, chief technology officer at Menlo Security Inc. “Companies need to own up.”
Experts also questioned whether Uber was able to verify the information was truly out of the attackers’ hands.
“What guarantee or promise did they have that they deleted this data and didn’t make a backup?” Guruswamy said. “It sounds to me like the $100,000 went, not to protect the consumers, but to keep it from getting out in the news.”